Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade the guava version #4348

Closed
Nanmozhi22 opened this issue May 14, 2024 · 6 comments
Closed

upgrade the guava version #4348

Nanmozhi22 opened this issue May 14, 2024 · 6 comments
Assignees
@psavidis
Labels
type:task Issues that are a change to the project that is neither a feature nor a bug fix.

Comments

@Nanmozhi22
Copy link
Contributor

Nanmozhi22 commented May 14, 2024
edited
Loading

Upgrade com.google.guava:guava to fix 2 Dependabot alerts in qa/large-data-tests/pom.xml
Upgrade com.google.guava:guava to version 32.0.0-android or later. For example:

com.google.guava guava [32.0.0-android,)

A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
@Nanmozhi22 Nanmozhi22 added group:release type:task Issues that are a change to the project that is neither a feature nor a bug fix. labels May 14, 2024
@Nanmozhi22
Copy link
Contributor Author

I will work on this issue

@psavidis
Copy link
Contributor

Hello @Nanmozhi22,
Thank you for the interest to work on this item.

In order to qualify this item, could you please post in the ticket thread:
a) the depentabot alerts mentioned in the ticket description
b) the vulnerability

Thanks,
Petros

@Nanmozhi22
Copy link
Contributor Author

Nanmozhi22 commented May 21, 2024
edited
Loading

Hello @psavidis

Here are the details which I got from the dependent bot , pls let me know

Description :

Upgrade com.google.guava:guava to version 32.0.0-android or later. For example:

com.google.guava guava [32.0.0-android,)

Vulnerability details :

A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.

@psavidis
Copy link
Contributor

@Nanmozhi22

Is cve-2020-8908 the one you posted on the ticket?

@Nanmozhi22
Copy link
Contributor Author

Hi @psavidis

yes correct that is one :

CVE ID
CVE-2020-8908

brianwarner pushed a commit to fidelity-contributions/camunda-camunda-bpm-platform that referenced this issue May 29, 2024
@Nanmozhi22
camunda#4348:updated the guava version to 32.0.0.-andriod
10b4e8b
@psavidis
Copy link
Contributor

psavidis commented Jan 8, 2025

Hello @Nanmozhi22,

Apologies for the late response. This item has been of low criticality and due to heavy load i didn't manage to provide an answer earlier. However, here are a few notes i'd like to make:

  • Reported Module: The qa/large-data-tests module belongs to the test suite and is not part of the production code.
  • Vulnerability Severity: The vulnerability of Guava is of low criticality (it has received a score of 3.3/10), especially given the fact it is found only in the test suite which is rather isolated and hard for an attacker to make use of the vulnerability.
  • Guava version: The version suggested in your PR uses bounds and an android version of guava. The suggestion looks a bit generic to me. I couldn't find any other usage of dependency using a range syntax in the whole project neither i personally find it a best practice to have an implicitly calculated version instead of an explicit one.
  • The same version is used in the unit tests of the engine.

Given the above, i recommend to skip this request at this point as not needed as
a) it would require more investment effort to check its correctness than the benefits it provides
b) the scope is not critical

Thank you for your interest to contribute 👍

KR,
Petros

@psavidis psavidis closed this as completed Jan 8, 2025
@camunda camunda deleted a comment from github-actions bot Jan 8, 2025
@psavidis psavidis mentioned this issue Jan 20, 2025
Closed
@tasso94 tasso94 closed this as not planned Won't fix, can't repro, duplicate, stale Mar 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@psavidis psavidis

Labels
type:task Issues that are a change to the project that is neither a feature nor a bug fix.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tasso94 @psavidis @Nanmozhi22